With software like the Deception ToolKit, TCP wrappers, and other similar software, you can add deceptions to your firewall so that those who try to probe the network for weaknesses are rapidly detected and misdirected while legitimate users continue without impairment.
Because of performance limitations, content filtering in firewalls is normally limited to special purpose proxy servers and DMZ computers, but there is a limited amount of filtering that can be done within a gateway computer if the proper software is available.
There is literally no end to the amount of time, effort, and money that can be spent in augmenting firewalls to provide additional protection. The issue is not whether you can do more, but rather whether you should. Should you spend more on your firewall or on added host security? Should you spend more time on training and awareness to make the attacks that still work in a technical sense ineffective because of human factors? Should you change from less secure to more secure operating environments on internal computers to mitigate risks instead of pouring more and more money into the firewall?
These are questions you will need to answer on your own, but hopefully, you now have the knowledge and the basis to understand what can and cannot be readily done and how to do it.
In this section, we have described and demonstrated the use of deceptions to augment firewall effectiveness, shown how simple content filtering can be done and described the limitations associated with it, and discussed the question of how far to go with your firewalls.